Thanks to Ansible you will be able to use Vaults to encrypt and hide passwords in your configuration files.

This is the last post in a series of 3 articles about Docker and Ansible:
Part I: from Docker Compose to Ansible
Part II: using variables
Part III: using vault to encrypt sensitive information

Create your vault

In order to create your vault :

$ ansible-vault create vault.yml
New Vault password:
Confirm New Vault password:

This will open your text editor.

Add your variable that be encrypted :

mysql_db_root_password: "secret_root"
mysql_db_password: "secret_user"

Put your vault in your playbook

We can use the playbook that we create in the previous post, but we will delete the mysql_db_password and mysql_db_root_password from the file and include the vault.yml :

- hosts: localhost

    - vault.yml

    docker_network: network_app
    mysql_db_name: db
    mysql_db_user: ghost
    mysql_db_host: db

  - name: Run Percona container
      name: 'percona'
      recreate: true
      restart_policy: unless-stopped
      image: 'percona:latest'
        - "percona:/var/lib/mysql"
        MYSQL_ROOT_PASSWORD: "{{ mysql_db_root_password }}"
        MYSQL_DATABASE: "{{ mysql_db_name }}"
        MYSQL_USER: "{{ mysql_db_user }}"
        MYSQL_PASSWORD: "{{ mysql_db_password }}"
        - name: "{{ docker_network }}"

And launch the playbook :

$ ansible-playbook deploy.yml --ask-vault-pass
Vault password:

That's it, now we have the sensitive information encrypted in the vault.yml.

Ressources :

Feel free to correct me if you see any typo or if something seems wrong to you.